Avoiding Scams

by

When God commanded, “You shall not steal,” (Exodus 20:15) He knew the human heart would be predisposed to covetousness. You could argue that one aspect of the first sin was stealing, as Adam and Eve took from God what He told them was not theirs for the taking. Thievery is still alive and well in the hearts of sinners everywhere, and the internet has provided new means for these coveters to steal from others—often without the danger of physical risk, like stealing from a store or a home or a person!

Contrary to some generally held misunderstandings, thieves and burglars aren’t simply stupid idiots who couldn’t get a job or weren’t smart enough for college. Many people who steal are very intelligent. I’d call them lazy, but their laziness is only in regard to working God’s way—they often spend more time and effort to conceive of and implement their thievery than it would take to just earn the money honestly. With that in mind, we need to be wise as serpents as we sojourn here in this wicked land. Here is a heads up about some scams you may encounter.

Phishing for Authentication Code

For the sake of the story, let’s say I put a toaster on Craigslist for sale. I listed it as “Toaster – $25.” I’m excited to sell my item, so when I receive a text a few minutes later which says “I want to buy your ‘Toaster – $25′” are you a real seller?” I get pretty interested. Then I receive a text from the same number which says, “I sent you Google verification code to make sure you aren’t scamming me, what is it?”

Immediately, I receive a six-digit code from Google. “Oh, this must be the code this person who is concerned I am scamming them sent me.” WRONG! Do you see what this scammer does? First, they act interested in your item. This gets you in “I’m-about-to-finally-sell-this-toaster-mode.” Then they turn it around and act concerned that you’re a scammer. Since you are not and you want to assure a potential buyer, you now have the psychological mindset to prove you are not a scammer. Suddenly they ask for a Google code, and, voilà, you have one on your phone.

Well, of course, you know that you never logged into Google. So they tried to get into Google with your information you provided in your Craigslist ad and now they are just waiting for you to provide the final code so they can control your account. Never give your multi-factor-authentication codes to anyone! Avoid this scam by blocking the number or play with them a little, but never give them any information. I generally give the person the gospel and see what happens.

Need to Verify Your Account

Another common scam is that you receive a very official-seeming email that says you need to verify your account or it will be suspended/deleted/whatever. It usually includes a link where you should click to verify and something about entering your password. I’ve never fallen for one of these so I’ve never clicked the link, but my guess is you’d be taken to a very official looking page and asked for username and password where the thieves would steal it.

Chances are there is software reading what you enter which would very quickly compromise your account and steal other information, maybe even locking you out of your email. If you ever fall for one of these, try to change your password quickly and consider calling your email provider to help you.

Credit Card Autofill

Do you know that really neat feature that was first really common in Google Chrome called Autofill? Yeah, you fill out form fields such as Name, Email, Address, etc. and then your browser offers to remember those. Then the next time you are on a form in your browser, it offers to fill them in for you. Saves a lot of time typing and prevents typos, yay! It even can save your credit card number and CVV code and expiration date for financial transactions.

Slow down, Speedy Gonzalez, this is not a good idea! Did you know there is such a thing as “hidden fields” in HTML (the markup language which is used for web pages)? Get this, you may go to a page which only requests your name, email, and zip code—while in the background your handy-dandy autofill is filling out hidden credit card fields. As soon as you click the Submit button, the thieves have your information—and you likely didn’t bother to ensure it was a secure connection. Uh oh.

So keep as little information as possible in the autofill section and deal with the frustration of having to enter things each time. There are other ways to simplify that though. If you’re interested, leave a comment and I’ll tell you how I use AutoHotkey. Nevertheless, always be wary, and know how to contact your credit or debit card company to put a hold on your card to prevent theft if it does get compromised.

Email Password

Every once in a while a corporation is compromised and they make it publicly known*. This happened to linkedin.com. I have an account on linkedin.com and I updated my password after they notified me. Ever since then I have received regular emails that say something like this:

Hello, I know your password is <myOldPassword>. I have seen what you do the internet. You have really sick taste, man! I bet you hope your wife never finds out! Send me $50 bitcoin today and I will make sure your dirty little secret is safe.

Because of my clear conscience pertaining to the internet and pornography, I wasn’t bothered. But imagine a guy who dips into that once in a while, will you? An email like that could be very scary, and they might end up paying the guy! A couple of lessons: 1) stay clear of porn and stuff and 2) have a different password for every website.

Because I only used <myOldPassword> for linkedin, I knew immediately that the password they were using to coax me was the very password I knew I had changed already! I didn’t have any concern that now they had my Google or Facebook or Twitter or Bank or Blog password. Which leads me to…

How to Set a Good Password

Ok, so I mentioned in the previous section that I have a different password for every account. This is 99% true. Here’s how to do it. There are a few rules you want to follow for setting good passwords.

  1. Keep them all different. That way, if someone steals one password *or even if you have to give a friend one for a reason*, they don’t have all your passwords as the result.
  2. Make your passwords unguessable, but derive-able. Let me explain. If your password is XASDFUIaTg-908)(*34, sure no one will ever guess it, but you will also never remember it. So if you have trouble accessing your password-locker one day, you’re stuck out of that website (or you are writing it down which is another no-no)!
  3. Make derive-able passwords. Here’s an example. Let’s say I want to log into Twitter.com. I could do something like count the letters in Twitter (7), then take the 3rd letter (i) and the last letter (r) and make a password like 7Irmyfavoritedogbreed!. You will notice:
    1. I capitalized the I.
    2. I added a ! to the end.
    3. I included the number 7 at the beginning and the letter r.
    4. And I used my favorite dog breed as a base.
    5. So my facebook password would be: 8Ckmyfavoritedogbreed! because it’s 8 letters, c is the third letter, k is the last letter and then I just include my dog breed and !
    6. That’s a pretty simple set of rules to remember that will generate a unique password for most internet sites. Now some have different restrictions and you have to be creative, but no one is really guessing passwords, they are stealing them. So as long as your passwords are distinct, you haven’t compromised all your passwords if you compromised a single one. Making it based on the website you are logging into gives you the key you need every time you visit to “guess” your own password, while still making it practically impossible to guess.

Hope that Helps!

I hope these ideas help you navigate and be safe in this internet-driven culture. Leave a comment with your own ideas or experiences!

*  Ok, this is scary. I was told by someone who works in this business area that banks are constantly compromised for dollar amounts that are so low that they just cover it up. Let me give you an example. A thief steals $1,000 from your checking account. The bank catches that it happened, fixes the hole in their security, erases the transaction (so you have your money), then tells no one. The bad publicity from folks losing trust in their security is more costly than just covering up the thievery!

Leave a Comment